From dce7ac0b4b0ba85898892dfeb518b20c82149faf Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@dalby.cc>
Date: Fri, 16 Jan 2026 14:40:44 +0000
Subject: [PATCH] CHANGELOG: add SSH policy breaking change for 0.28.0

Document that SSH rules now validate src/dst combinations following
Tailscale's policy rules. Policies with tag->user or group->user SSH
rules are now rejected at load time.

Updates #3010
---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 822964e4..2ac796f2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -87,6 +87,10 @@ sequentially through each stable release, selecting the latest patch version ava
     address in the user profile. This is now rejected during authentication with an `unverified email` error.
   - When `false`, unverified emails are allowed for OIDC authentication and the email address is stored in the user
     profile regardless of its verification state.
+- **SSH Policy**: SSH rules now validate that when destination contains a username, source must contain only the same username [#3018](https://github.com/juanfont/headscale/pull/3018)
+  - Previously accepted policies with `src: ["tag:foo"]` and `dst: ["user@"]` are now rejected
+  - This aligns with Tailscale's policy: tagged devices cannot SSH to user-owned devices
+  - Error message: "users in dst are only allowed from the same user"
 
 ### Changes